CIA Tools to Spy on Offline Computers with USB Drives Leaked

Posted onJune 25, 2017June 25, 2017

No matter how secure you think a computer is, there’s probably someone out there armed with an exploit that could blow it wide open. The only way to be relatively sure no one will gain access to the data on that machine is to disconnect it from the internet and tightly control who can lay their hands on it in real life. A new cache of CIA documents posted on Wikileaks reveals the methods employed by the CIA to hack these so-called “air-gapped” machines. As with many exploits, it relies on people being the weak link.

There have been a number of ingenious proofs of concept of the years for accessing an air-gapped computer without a network. For example, heat output, fan noise, and even the faint clicking of a spinning hard drive have been used to retrieve data without a network connection. The CIA’s air-gap hacking tools rely upon traditional exploits, but with some clever wrapping that uses careless people to transport it from a network to the air-gapped system.

To hack an air-gapped system, a CIA operative first installs custom “Brutal Kangaroo” malware on an internet-connected system. This computer or network is known as the primary host. The malware lies in wait until someone plugs a USB drive or other form of removable storage into the system. Then, the malware copies itself to the drive so it can hitch a ride across the air gap. Should someone plug one of these infected USB drives into the air-gapped system, the malware copies itself and begins collecting data as it was programmed to. It can also delete a predetermined list of files, if they are found.

So, Brutal Kangaroo has reach its target and has data, so how does it transmit that data back to the CIA? Again, it has to wait for someone to plug in another USB drive. When it reaches the primary host machine, the malware uploads its findings. The data beamed back to the CIA can even contain data from machines the malware didn’t directly infect. Brutal Kangaroo is programmed to set up a covert network on its target, assuming there are multiple machines inside an air-gapped network.

According to the document, certain antivirus applications running on the target machine could foil Brutal Kangaroo, including BitDefender. Symantec’s antivirus would pop up a warning when the malware attempted to run, indicating to the user than something was amiss. As with many leaked CIA documents, this information may be out of date. So, the techniques being employed now could be much more advanced and able to circumvent such detection measures.